Cenzic Introduces Web Application Discovery Tools

Many companies support more Web applications than they realize, leading to significant security issues, the company claims.

Cenzic rolled out its maiden product aimed at helping companies address the issue of Web applications security through finding online software systems that may exist unknown to IT administrators.

Labeled as Hailstorm Enterprise Application Risk Controller, the software package launched on Oct. 30 promises to automatically locate, list and scan Web applications to provide companies with a more comprehensive view of their online security status.

Since companies launch so many Web applications so frequently, many times the tools are forgotten by administrators, or never reported to IT operations in the first place, Cenzic officials said.

By allowing companies to get a better fix on the sheer number of Web applications they are already running, and how secure those systems may be, firms can immediately improve their overall standing in locking down the systems, according to Mandeep Khera, vice president of marketing for Cenzic, which is based in Santa Clara, Calif.

The product is specifically aimed at enterprises, as so many of the massive firms have far-flung operations that make it even harder to keep track of all their Web applications, he said.

"Companies often have no clue, and no approvals process for launching new Web applications, so the situation has gotten out of control within many enterprises," Khera said.

"Often times when they find out how many thousands of applications they already have, its a matter of prioritizing which ones to secure first, because there are typically so many that need to be addressed."

Most companies using the software find that the Web applications they are aware of also contain previously unknown security loopholes, according to Cenzic, so the Hailstorm Enterprise ARC product is typically used first to shore up mission-critical systems.

Typical problems that the program discovers include unpatched Web servers, and cross-site scripting flaws, the company said.

Another emerging problem highlighted by the company is the use of Web services tools such as AJAX (asynchronous JavaScript and XML), as many of the programs built on the programming technique have not been properly secured.

"AJAX is definitely becoming a big issue, and companies arent typically arent even surprised when they see the security weaknesses as they know that they were merely trying to get their applications up as quickly as possible," Khera said. "People are adopting this technology very rapidly, but theres not a lot of thought going toward security."

As such, one of the products features is support for finding and testing such Web services-based applications.

/zimages/2/28571.gifClick here to read more about Web services security specifications.

Among the other specific tools being touted by Cenzic in Hailstorm Enterprise ARC are a Web interface that allows for the viewing of applications security from anywhere in the world, an intelligent dashboard for centralized management of security issues, applications security status tracking tools and integrated reporting capabilities.

As part of the release of Cenzic Enterprise ARC, the company also announced a major upgrade to its Hailstorm Professional applications security software which includes a Web services module, PCI Compliance and new reporting tools.

Andrew Jaquith, analyst with Boston-based Yankee Group, said that such "auto-discovery" products are catching on with enterprises as they struggle to isolate all their security issues.

He said the Cenzic product should appeal to some of those firms, but observed that he would like the product to be more focused on business management problems, versus technical snafus.

"Most companies only know where about 70 percent of their network is, the challenge is discovering everything that you have and addressing the issues you dont already know about," Jaquith said.

"This product represents good evolutionary step forward for Cenzic, but they still need to make the product a little more focused on business issues versus technical flaws; its matter of hunting down the root cause of the problem, which is often a bigger deal than the vulnerability, but they will get there as this is still a young market."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.